7.5 High
CVSS3
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
NONE
User Interaction
NONE
Scope
UNCHANGED
Confidentiality Impact
NONE
Integrity Impact
NONE
Availability Impact
HIGH
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
5 Medium
CVSS2
Access Vector
NETWORK
Access Complexity
LOW
Authentication
NONE
Confidentiality Impact
NONE
Integrity Impact
NONE
Availability Impact
PARTIAL
AV:N/AC:L/Au:N/C:N/I:N/A:P
0.002 Low
EPSS
Percentile
64.4%
APM WebSphere Application Server Agent , APM SAP NetWeaver Agent and APM WebLogic Agent is vulnerable to Google Gson (gson-2.8.2.jar ) 217225, CVE-2022-25647. The fix/workaround includes gson-2.8.2.jar upgraded to gson-2.10.1.jar.
CVEID:CVE-2022-25647
**DESCRIPTION:**Google Gson is vulnerable to a denial of service, caused by the deserialization of untrusted data. By using the writeReplace() method, a remote attacker could exploit this vulnerability to cause a denial of service.
CVSS Base score: 7.7
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/217225 for the current score.
CVSS Vector: (CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:H/A:H)
**IBM X-Force ID:**217225
**DESCRIPTION:**Google Gson is vulnerable to a denial of service, caused by the deserialization of untrusted data. By using the writeReplace() method, a remote attacker could exploit this vulnerability to cause a denial of service.
CVSS Base score: 7.7
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/217225 for the current score.
CVSS Vector: (CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:H/A:H)
Affected Product(s) | Version(s) |
---|---|
APM Agents for Monitoring | all |
IBM strongly recommends addressing the vulnerability now by upgrading:
Product Remediation
|
Fix
—|—
APM on-premise
|
1. APM WebSphere Application Server Agent release 8.1.4.0.20 (WAS Agent version: 07.30.14.19)
2. APM SAP NetWeaver Agent release 8.1.4.0.20 (SAP NetWeaver Agent version: 08.23.05.00)
Download the APM Agents installer from Passport Advantage. Please refer below link for download instructions:
<https://www.ibm.com/docs/en/capmp/8.1.4?topic=advantage-part-numbers>
For APM WebLogic Agent, this vulnerability is not fixed in APM 814020 release. Please follow below steps as a workaround:
gson-2.8.2.jar must be upgraded from Maven Repository: Search/Browse/Explore (mvnrepository.com)
Procedure:
Step 1: Stop the agent and replace gson-2.8.2.jar with it’s latest version gson-2.10.1.jar
Windows:
i. Navigate to the directory $CANDLEHOMEC\TMAITM6_x64<dchome><version>\ttdc\lib\ext
where <dchome> would be wbdchome and <version> would be 8.1.4.0.0 for WebLogic Agent.
ii. Take a backup of gson-2.8.2.jar and replace it with the latest version ie. gson-2.10.1.jar.
Linux:
i.Navigate to the directory $CANDLEHOMEC/<dchome>/<version>/ttdc/lib/ext
where <dchome> would be wbdchome and <version> would be 8.1.4.0.0 for WebLogic Agent.
ii. Take a backup of gson-2.8.2.jar and replace it with the latest version ie. gson-2.10.1.jar.
Step 2 : Restart the agent.
CPE | Name | Operator | Version |
---|---|---|---|
ibm application performance management | eq | 8.1.4 |
7.5 High
CVSS3
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
NONE
User Interaction
NONE
Scope
UNCHANGED
Confidentiality Impact
NONE
Integrity Impact
NONE
Availability Impact
HIGH
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
5 Medium
CVSS2
Access Vector
NETWORK
Access Complexity
LOW
Authentication
NONE
Confidentiality Impact
NONE
Integrity Impact
NONE
Availability Impact
PARTIAL
AV:N/AC:L/Au:N/C:N/I:N/A:P
0.002 Low
EPSS
Percentile
64.4%